OCR Reaches $1.7 Million HIPAA Settlement with Alaska Medicaid


[author: Robyn Sterling]

On June 26, 2012, the U.S. Department of Health and Human Services (HHS) entered into a settlement with the Alaska Department of Health and Social Services (DHSS) for $1.7 million as well as a corrective action plan (CAP) for alleged security violations of the Health Insurance Portability and Accountability Act (HIPAA). This represents the first HHS action against a state agency.

Pursuant to reporting requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act, DHSS reported that a portable electronic storage device, specifically a USB drive, containing electronic protected health information was stolen from an employee’s vehicle. This report prompted an investigation by the HHS Office for Civil Rights (OCR), the agency responsible for HIPAA enforcement. As a result of the investigation, OCR determined that DHSS did not meet certain basic requirements under the HIPAA Security Rule. Specifically, OCR determined DHSS failed to:

  • Complete a risk analysis;
  • Implement specific risk management measures;
  • Complete security training for workforce members;
  • Implement device and media controls; and
  • Address device and media encryption

In order to correct the alleged deficiencies, DHSS entered into a three (3) year CAP that obligates DHSS to:

  • Develop, maintain and revise written policies and procedures to comply with HIPAA;
  • Distribute policies and procedures to workforce members;
  • Train workforce members on the policies and procedures;
  • Regularly conduct risk analyses and develop risk management procedures to address this risk;
  • Designate an independent monitor for the duration of the CAP; and
  • Submit annual reports to HHS.

This enforcement action highlights the growing exposure for covered entities under HIPAA.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.